https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250562#M74866 <P>Thanks this is so simple I was over thinking it. </P> <P>Question - does this respect the relationship between the values(OIDValue) column and the values(OID) column? In other words, does splunk know they correspond? It would appear that, although they line up, they aren't necessarily in rows as one would expect related data to be. </P> Fri, 08 Jul 2016 20:37:04 GMT evan_roggenkamp 2016-07-08T20:37:04Z https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250559#M74863 <P>I am trying to join two searches with a common TrapID field. The OIDValue column corresponds with the OID Column</P> <P>The first: </P> <PRE><CODE>index=cyan_varbind source=oriondb sourcetype=cyan_varbind | stats values(OIDValue) by TrapID </CODE></PRE> <P>The second:</P> <PRE><CODE>index=cyan_varbind source=oriondb sourcetype=cyan_varbind | stats values(OID) by TrapID </CODE></PRE> <P>Visual: </P> <P><IMG src="http://i.imgur.com/vJlPp2y.png" alt="alt text" /></P> Fri, 08 Jul 2016 20:04:24 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250559#M74863 evan_roggenkamp 2016-07-08T20:04:24Z https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250560#M74864 <P>How about this</P> <PRE><CODE>index=cyan_varbind source=oriondb sourcetype=cyan_varbind | stats values(OIDValue) values(OID) by TrapID </CODE></PRE> Fri, 08 Jul 2016 20:13:29 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250560#M74864 somesoni2 2016-07-08T20:13:29Z https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250561#M74865 <P>Like this:</P> <PRE><CODE>index=cyan_varbind source=oriondb sourcetype=cyan_varbind | stats values(OIDValue) values(OID) BY TrapID </CODE></PRE> Fri, 08 Jul 2016 20:25:36 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250561#M74865 woodcock 2016-07-08T20:25:36Z https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250562#M74866 <P>Thanks this is so simple I was over thinking it. </P> <P>Question - does this respect the relationship between the values(OIDValue) column and the values(OID) column? In other words, does splunk know they correspond? It would appear that, although they line up, they aren't necessarily in rows as one would expect related data to be. </P> Fri, 08 Jul 2016 20:37:04 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250562#M74866 evan_roggenkamp 2016-07-08T20:37:04Z https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250563#M74867 <P>No, to do that, you need to use <CODE>list</CODE> instead of <CODE>values</CODE>, like this:</P> <PRE><CODE>index=cyan_varbind source=oriondb sourcetype=cyan_varbind | stats list(OIDValue) list(OID) BY TrapID </CODE></PRE> <P>Or combine them first like this</P> <PRE><CODE>index=cyan_varbind source=oriondb sourcetype=cyan_varbind | eval OIDcombo = OID . ":" . OIDValue | stats values(OIDCombo) BY TrapID </CODE></PRE> Fri, 08 Jul 2016 20:40:21 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250563#M74867 woodcock 2016-07-08T20:40:21Z https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250564#M74868 <P>This has been so helpful to me. I cannot thank you enough. </P> Fri, 08 Jul 2016 20:48:22 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250564#M74868 evan_roggenkamp 2016-07-08T20:48:22Z https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250565#M74869 <P>This has been immensely helpful for me as well! Do you know how you would select just the most recent OIDValue for each OID? For my examples I've got:<BR /> main search | eval TransferResults = type ."=". status | stats values(TransferResults) by referenceId</P> <P>but each type has multiple statuses:<BR /> IP=ERROR<BR /> IP=SUCCESS<BR /> NATIVE=ERROR<BR /> NATIVE=SUCCESS<BR /> X1=ERROR<BR /> X1=SUCCESS</P> <P>and in this case, the most recent statuses are all =SUCCESS so I'm trying to show that.</P> Fri, 07 Jun 2019 19:19:19 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-quot-stats-values-quot-columns-by-similar-field/m-p/250565#M74869 chrismcharvey 2019-06-07T19:19:19Z